Privacy Policy
How Heyou treats personal data — including the two-tier model that separates organizational data from individual users' personal-tier connections, and what we do not do with either.
In this document
1. Our Role and How We Organize Data ¶
Heyou is a relationship intelligence platform that helps organizations and their users map existing professional networks and surface relevant relationship paths within them. We organize the data we process into two distinct tiers, each with its own access rules and legal treatment.
The Two-Tier Data Model ¶
Organizational tier (Customer Data). Data the organization connects or that Users contribute in the course of their work for the organization. This includes CRM records, corporate email and calendar metadata, employee directory information, and professional network data — professional connections, public posts, and public profile fields that a User is exposed to through the User’s authenticated session on professional platforms, contributed to the organization’s relationship graph as part of the User’s work. Organizational-tier data is available across the Customer’s tenant subject to the Customer’s internal permission model. The Customer is the Controller for this data; Heyou is the Processor.
Personal tier (User Data). Data an individual Authorized User chooses to connect from intrinsically personal resources they control — a private email account, a personal messaging app, or direct private one-to-one messages on a professional network visible only to that User. User Data is held at the User level within the tenant. It is not visible to the Customer, Customer admins, or other Authorized Users unless the User affirmatively chooses to share specific data with the organization. The User is the Controller for User Data; Heyou processes it on the User’s behalf per the User’s acknowledgment at connection time.
What Heyou Processes and What Heyou Does Not Process ¶
Heyou processes only what is necessary to map relationships and surface recommendations. For personal messages connected at the User tier, Heyou never ingests, stores, or processes the content of those messages — only metadata such as from, to, timestamp, interaction frequency, and similar non-content signals used to infer relationship strength. Heyou does not read the substance of any personal communication.
What Heyou Does Not Do ¶
Heyou is not a data broker. Heyou does not operate, sell, or license a contact database. Heyou does not collect data for a Heyou-owned directory or data product. Customer Data is held in the Customer’s logically isolated tenant; User Data is held at the User level. Data is not used outside the context of the relevant tenant for cross-customer use cases.
Heyou does not aggregate Personal Data across customers to build any marketable directory or people-search product. Heyou does not operate a general-purpose public web crawler and is not designed to bulk-harvest external platforms. Where Heyou reads professional context from user-authorized sources, processing is scoped to the authorized user context, customer configuration, and applicable product controls. When Heyou presents an email address or phone number, it comes only from Customer Data, such as organizational systems or professional network data Users contributed to the organization, or from User Data, such as personal resources a User connected. Heyou does not use third-party enrichment, data-broker sources, or public scraping to obtain or supplement contact details.
Heyou does not use Customer Data or User Data to train third-party generative AI foundation models. Heyou may use Customer Data, User Data, and signals derived from them to improve its own proprietary non-generative relationship-scoring, classification, calibration, and path-ranking models as part of delivering and enhancing the Services, subject to the DPA, applicable agreement, user acknowledgment where applicable, tenant-isolation safeguards, cross-tenant leakage safeguards, and any applicable Order Form restrictions.
User-Identified Targets Not in Connected Systems ¶
A User may identify individuals as targets for outreach who do not appear in the Customer’s CRM or other connected systems. For these individuals, Heyou processes only the minimum information needed to surface a relationship-path recommendation, drawing on information that is publicly available or accessible through the User’s authorized sources. Heyou does not store these individuals’ email addresses unless those addresses are already present in Customer Data or User Data, does not send them messages, and does not contact them on the Customer’s behalf. Heyou’s outputs are recommendations; any outreach is initiated by the User through the User’s own channels.
Roles Under Data-Protection Law ¶
For Customer Data, including professional network data contributed by Users in the course of their work, the Customer is the Controller and Heyou is the Processor. Processing is governed by the DPA.
For User Data, unless otherwise agreed in writing with the Customer, the individual Authorized User controls the connection, visibility, and sharing of that User Data, and Heyou processes it on the User’s behalf under the User’s acknowledgment at connection time and this Privacy Policy. This user-level control model does not make User Data visible to the Customer, Customer admins, or other Authorized Users unless the User affirmatively shares specific data with the organization.
For website visitors, prospects, and individual account sign-ups on Heyou properties, Heyou acts as the Controller. This Privacy Policy describes that Controller processing.
2. Personal Data We Collect in Our Controller Role ¶
Heyou may collect the following Personal Data where it acts as Controller:
- Account and contact data: name, business email, employer, job title, phone, and information provided in forms, demo requests, or support interactions.
- Communications: emails, chats, support requests, and call recordings or meeting notes with sales, success, and support teams where used.
- Marketing data: interactions with emails, events, webinars, and ads; preferences; and unsubscribe status.
3. How We Use Personal Data and Legal Bases ¶
| Purpose | Legal basis under GDPR where applicable |
|---|---|
| Providing Heyou properties and evaluating the platform | Contract; legitimate interests |
| Responding to inquiries and support | Contract; legitimate interests |
| Sending marketing communications | Consent where required; legitimate interests otherwise |
| Product analytics and improvement | Legitimate interests |
| Security, fraud prevention, and abuse detection | Legitimate interests; legal obligation |
| Complying with law and responding to legal process | Legal obligation |
| Corporate transactions | Legitimate interests |
4. Sharing ¶
We share Personal Data with the following categories of recipients:
- Service infrastructure and product delivery: hosting and cloud infrastructure, authentication, application monitoring and logging, AI model providers, transactional messaging, and payment processing.
- Website, marketing, and business operations: website hosting, lead capture, scheduling, call recording and transcription for sales and customer-success conversations, internal CRM, and product analytics.
- Professional advisors: auditors, lawyers, accountants, and bankers under confidentiality.
- Authorities: where required by law and subject to our government request commitments.
- Acquirers: in connection with a merger, acquisition, or sale of assets, with appropriate notice where required.
We do not sell Personal Data and do not share Personal Data for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
5. International Transfers ¶
Heyou is headquartered in Israel, and Customer Data for EU tenants is primarily stored and processed in the European Union on Google Cloud infrastructure. Israel benefits from an EU adequacy decision, so transfers of Personal Data from the EEA to Heyou personnel in Israel may rely on that adequacy status.
For subprocessors located outside the EEA or outside an adequate jurisdiction, Heyou relies on appropriate transfer mechanisms such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, the EU-US Data Privacy Framework where applicable, and transfer impact assessments where appropriate.
6. Retention ¶
We retain Personal Data only as long as needed for the purposes described in this Privacy Policy, the DPA, the applicable agreement, or as required by law. The Data Retention and Deletion Schedule sets default retention periods by data category, unless overridden by customer configuration, contractual requirement, legal obligation, or documented security need.
7. Your Rights ¶
Depending on where you live, you may have the right to access, correct, delete, port, restrict, or object to processing; to withdraw consent; and to lodge a complaint with a supervisory authority.
To exercise rights, contact privacy@heyou.com. We will respond within the period required by applicable law and will not discriminate against you for exercising your rights.
Right to Object ¶
Where Heyou or its Customer relies on legitimate interests to process Personal Data, data subjects may have the right to object. Where the objection relates to Personal Data Heyou processes as a Processor on behalf of a Customer, Heyou will support the Customer in assessing and responding to the request. Heyou may also maintain a suppression list for the limited purpose of preventing re-introduction of data where required to honor valid objections or opt-outs.
8. Children ¶
The Services are not directed to individuals under 16, and Heyou does not knowingly process children’s Personal Data as part of the standard service.
9. Security ¶
We implement administrative, technical, and physical safeguards appropriate to the risk, described in the Security Overview. No system is perfectly secure. We maintain an incident response program and notify Customers of incidents affecting Customer Data in accordance with the DPA.
10. Government Requests ¶
Heyou does not provide governments with direct, unfettered, or bulk access to Customer Data. We require valid legal process, challenge overbroad requests where appropriate, and, unless legally prohibited, notify affected Customers so they can seek protective orders.
11. Changes ¶
We will post material changes to this Privacy Policy and provide notice where required by law or contract.
12. Automated Decision-Making ¶
Heyou does not use automated processing, including profiling, to make decisions that produce legal or similarly significant effects on any individual within the meaning of GDPR Article 22 or equivalent regimes. Heyou’s AI agents generate suggestions, such as relationship paths, draft messages, and relationship summaries. Every action with external effect requires human review and confirmation by an Authorized User. Heyou’s Acceptable Use Policy prohibits Customers from using Heyou outputs to make hiring, firing, promotion, performance, compensation, credit, insurance, immigration, housing, or other high-stakes decisions about individuals.
13. Contact ¶
- Data protection: dpo@heyou.com
- General privacy: privacy@heyou.com
- Security: security@heyou.com